- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 04 Apr 2009 12:17:44 +0200
- To: "Bil Corry" <bil@corry.biz>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Ian Hickson" <ian@hixie.ch>, "Adam Barth" <w3c@adambarth.com>, public-webapps@w3.org, "Maciej Stachowiak" <mjs@apple.com>, "Sam Weinig" <weinig@apple.com>
On Fri, 03 Apr 2009 22:05:52 +0200, Bil Corry <bil@corry.biz> wrote: > So the first question to ponder is if the referrer header really can > adequately replace Origin. If it can, then we should the move this > discussion over to ietf-http-wg and work to make sure referrer is > updated in a way to make it useful for CSRF protection. If it can not, > then we should discuss Origin here as the ietf-http-wg has made it very > clear that they are not interested. FWIW, for CORS it's too late to rename Origin now that we have three implementations, one of which is shipping (IE) and two that are in beta (Firefox, Safari). (Anyone know which version of Chrome supports CORS?) CORS defines the Origin header as well: http://www.w3.org/TR/2009/WD-cors-20090317/#origin-request-header It has also been registered in the provisional header registry from IANA for quite a while. -- Anne van Kesteren http://annevankesteren.nl/
Received on Saturday, 4 April 2009 10:19:02 UTC